A new, vendor-neutral connected car hack has been discovered that is "indefensible by modern car security technology" and could put many drivers at risk of a critical cyberattack, according to a Wednesday blog post from security firm Trend Micro. The hack was discovered by Trend Micro's Forward-looking Threat Research (FTR) team, Politecnico di Milano, and Linklayer Labs.
While other attacks have targeted specific makes and models--such as the Jeep hack that occured in 2015--this hack targets the controller area network (CAN) standard that exists in a large number of modern, connected cars, regardless of vendor. The CAN bus manages many of the electrical subsystems and control units found in modern vehicles.
So, why is this such a big deal? According to the post, the attack can disable things like a vehicle's airbag, parking sensors, and active safety systems--almost anything that's connected to the car's device network. Also, it can do this in a way that is "invisible" to modern security systems in cars.
The other question nearly every reader is probably wondering is whether or not their vehicle is affected. The post gives a simple, two-word answer: "Likely, yes."
As noted, the vulnerability goes after the CAN standard for connected cars, which was initially developed in 1983 and put into production in 1989, the post said. CAN is being used in "practically every light-duty vehicle currently in circulation today."
The attack specifically targets the messaging system in CAN, in which messages are called "frames." By overloading the system with error messages, the attackers move a device into a Bus Off state, which it is supposed to do in that event, cutting it off from the greater CAN system. By using this on certain systems, like the airbag system or the antilock braking system, hackers can deactivate these systems.
The attack does require a "specially-crafted attack device" to be introduced via local access, meaning the attacker would need access to your vehicle. However, the post said, trends in ride-sharing, carpooling, and car renting are making that much easier.
To fix it, the post said, would take sweeping changes in the standards used in connected cars and for an entire generation of vehicles using the current standard to be phased out. Unfortunately, the post said, there is no OTA (on-the-air) upgrade or dealer recall that can remedy the problem.
"Car manufacturers can only mitigate the attack we demonstrated by adopting specific network countermeasures, but cannot eliminate it entirely," the post said. "To eliminate the risk entirely, an updated CAN standard should be proposed, adopted, and implemented. This whole process would likely require another generation of vehicles."
The researchers recommended that network segmentation, regulated OBD-II diagnostic port access, and encrypted CAN frame IDs be adopted as part of a long-term security solution.
The 3 big takeaways for TechRepublic readers
- A new car hack targets the CAN standard for connected cars, making many drivers vulnerable regardless of their vehicle make and model.
- The attack leverages CAN messages, or frames, to overload certain systems and take them offline. This could deactivate an airbag system, for example.
- Sweeping changes in CAN standards and security protocols are needed to fix the problem, the researchers said. There is no OTA update that can help.
- Why the age of connected cars presents a 'very real threat' in cybersecurity (TechRepublic)
- Why the connected car is one of this generation's biggest security risks (ZDNet)
- Connected cars provide big value, but major risks, for automakers (TechRepublic)
- Three years until connected cars are cyberattack-proof? (ZDNet)
- Cyber Security Volume II: Network Security (TechRepublic Academy)